Hmm....How would persons know what is the website they are viewing on without the URL? Dev Anand On Fri, Feb 7, 2020 at 2:33 PM Johan Helsingius <julf@julf.com> wrote:

Maybe realize URLs aren't really there for humans to read them?

Julf

On 07-02-2020 19:06, Dev Anand Teelucksingh wrote:

...

"In this episode, Jake makes the case that URLs are impossible for humans to interpret, especially when it comes to security. What are browsers doing today to overcome that? And, is there a better way"

Watch the 20 min episode : https://youtu.be/0-wB1VY3Nrc

Dev Anand

_______________________________________________ ttf mailing list ttf@atlarge-lists.icann.org https://mm.icann.org/mailman/listinfo/ttf

_______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.

_______________________________________________ ttf mailing list ttf@atlarge-lists.icann.org https://mm.icann.org/mailman/listinfo/ttf

_______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.

A large problem is when bad persons obscure the domains of companies in phishing campaigns so that persons go to the bad persons' website on another domain and steal their credentials or get malware installed. So say you get an email link from a trusted person whose been hacked saying - "hey we're not sure your paycheck was delivered to mybankinfo. Can you login to mybankinfo.com.paymentlogin.info and check? The challenge is that persons may just see "mybankinfo.com" and assume they are going to the mybankinfo.com site. And because they clicked on the link, how would the browser "know" what the site you really intended to go to? Dev Anand On Fri, Feb 7, 2020 at 3:04 PM Johan Helsingius <julf@julf.com> wrote:

On 07-02-2020 19:49, Dev Anand Teelucksingh wrote:

...

Hmm....How would persons know what is the website they are viewing on without the URL?

How many users check out the website info in URLs anyway? How will they know that Mybankinfo.com is OK, but mybank.info isn't?

Shouldn't it be the job of the browser to check if the web site is the one you want to talk to (based on certificates)?

Julf

_______________________________________________ ttf mailing list ttf@atlarge-lists.icann.org https://mm.icann.org/mailman/listinfo/ttf

_______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.

Well most persons would - click on links, - see visually the site looks like the site they are used to, - may see a padlock so they think it’s safe ; - may see from the url bar if the domain is the one they are accustomed to ; - see the name of the company/service they are going to as part of the long URL and assume it’s legit. - consider how long URLs to documents or files are delivered https://community.icann.org/display/atlarge/2020-01-27+At-Large+Technology+T... A bad person could create a link like https://community.icann.org.can.work/display/atlarge/2020-01-27+At-Large+Tec... and I dare say most would find it hard to figure out whether it’s legit or not. And if the link to the file is a malware file that opens and executed on clicking, then it’s too late. Dev Anand On Fri, 7 Feb 2020 at 3:59 PM, Johan Helsingius <julf@julf.com> wrote:

The fact is that people click on links and do searches, they don't type in domain addresses.

Anyway, how do you know "mybankinfo.com" is a safe site in the first place? And if someone can steal credentials or place malware, looking at the URL won't help.

Julf

On 07-02-2020 20:52, Dev Anand Teelucksingh wrote:

...

A large problem is when bad persons obscure the domains of companies in phishing campaigns so that persons go to the bad persons' website on another domain and steal their credentials or get malware installed.

So say you get an email link from a trusted person whose been hacked saying - "hey we're not sure your paycheck was delivered to mybankinfo. Can you login to mybankinfo.com.paymentlogin.info <http://mybankinfo.com.paymentlogin.info> and check? The challenge is that persons may just see "mybankinfo.com <http://mybankinfo.com>" and assume they are going to the mybankinfo.com <http://mybankinfo.com> site. And because they clicked on the link, how would the browser "know" what the site you really intended to go to?

Dev Anand

On Fri, Feb 7, 2020 at 3:04 PM Johan Helsingius <julf@julf.com <mailto:julf@julf.com>> wrote:

On 07-02-2020 19:49, Dev Anand Teelucksingh wrote: > Hmm....How would persons know what is the website they are viewing on > without the URL?

How many users check out the website info in URLs anyway? How will they know that Mybankinfo.com is OK, but mybank.info <http://mybank.info> isn't?

Shouldn't it be the job of the browser to check if the web site is the one you want to talk to (based on certificates)?

Julf

_______________________________________________ ttf mailing list ttf@atlarge-lists.icann.org <mailto:ttf@atlarge-lists.icann.org> https://mm.icann.org/mailman/listinfo/ttf

_______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.

_______________________________________________ ttf mailing list ttf@atlarge-lists.icann.org https://mm.icann.org/mailman/listinfo/ttf

_______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.

_______________________________________________ ttf mailing list ttf@atlarge-lists.icann.org https://mm.icann.org/mailman/listinfo/ttf

_______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.

Another point I missed - one could try verify the owner of the url from the Whois if they were aware of Whois in the first place. But it seems likely that the replacement to Whois data underway with the EPDP discussions (triggered by the GDPR) will create barriers to see who owns a domain. Dev Anand On Sat, 8 Feb 2020 at 7:33 AM, Dev Anand Teelucksingh <devtee@gmail.com> wrote:

Well most persons would - click on links, - see visually the site looks like the site they are used to, - may see a padlock so they think it’s safe ; - may see from the url bar if the domain is the one they are accustomed to ; - see the name of the company/service they are going to as part of the long URL and assume it’s legit.

- consider how long URLs to documents or files are delivered https://community.icann.org/display/atlarge/2020-01-27+At-Large+Technology+T...

A bad person could create a link like

https://community.icann.org.can.work/display/atlarge/2020-01-27+At-Large+Tec...

and I dare say most would find it hard to figure out whether it’s legit or not. And if the link to the file is a malware file that opens and executed on clicking, then it’s too late.

Dev Anand

On Fri, 7 Feb 2020 at 3:59 PM, Johan Helsingius <julf@julf.com> wrote:

...

The fact is that people click on links and do searches, they don't type in domain addresses.

Anyway, how do you know "mybankinfo.com" is a safe site in the first place? And if someone can steal credentials or place malware, looking at the URL won't help.

Julf

On 07-02-2020 20:52, Dev Anand Teelucksingh wrote:

...

A large problem is when bad persons obscure the domains of companies in phishing campaigns so that persons go to the bad persons' website on another domain and steal their credentials or get malware installed.

So say you get an email link from a trusted person whose been hacked saying - "hey we're not sure your paycheck was delivered to mybankinfo. Can you login to mybankinfo.com.paymentlogin.info <http://mybankinfo.com.paymentlogin.info> and check? The challenge is that persons may just see "mybankinfo.com <http://mybankinfo.com>" and assume they are going to the mybankinfo.com <http://mybankinfo.com> site. And because they clicked on the link, how would the browser "know" what the site you really intended to go to?

Dev Anand

On Fri, Feb 7, 2020 at 3:04 PM Johan Helsingius <julf@julf.com <mailto:julf@julf.com>> wrote:

On 07-02-2020 19:49, Dev Anand Teelucksingh wrote: > Hmm....How would persons know what is the website they are viewing on > without the URL?

How many users check out the website info in URLs anyway? How will they know that Mybankinfo.com is OK, but mybank.info <http://mybank.info

isn't?

Shouldn't it be the job of the browser to check if the web site is the one you want to talk to (based on certificates)?

Julf

_______________________________________________ ttf mailing list ttf@atlarge-lists.icann.org <mailto:ttf@atlarge-lists.icann.org> https://mm.icann.org/mailman/listinfo/ttf

_______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.

_______________________________________________ ttf mailing list ttf@atlarge-lists.icann.org https://mm.icann.org/mailman/listinfo/ttf

_______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.

_______________________________________________ ttf mailing list ttf@atlarge-lists.icann.org https://mm.icann.org/mailman/listinfo/ttf

_______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.

The hyperlink in webpages (and emails) is the cornerstone of how the web worked. There could be url links to files that are very long and designed that way on purpose. For example https://community.icann.org.xyz/display/atlarge/2020-01-27+At-Large+Technolo... Consider links to google docs, Dropbox where the design is to create long urls to files. I doubt many persons would retype such long urls especially if it’s coming from someone they trust Dev Anand On Sat, 8 Feb 2020 at 5:53 AM, Judith Hellerstein <judith@jhellerstein.com> wrote:

All, The problem here is that they are clicking on the link which they should never do. They should go to their bank’s website and login from there. It is just training and educating people on the right thing to do

Judith

Sent from my iPad judith@jhellerstein.com Skype ID:JudithHellerstein

On Feb 8, 2020, at 5:53 AM, Dev Anand Teelucksingh <devtee@gmail.com> wrote:



A large problem is when bad persons obscure the domains of companies in phishing campaigns so that persons go to the bad persons' website on another domain and steal their credentials or get malware installed.

So say you get an email link from a trusted person whose been hacked saying - "hey we're not sure your paycheck was delivered to mybankinfo. Can you login to mybankinfo.com.paymentlogin.info and check? The challenge is that persons may just see "mybankinfo.com" and assume they are going to the mybankinfo.com site. And because they clicked on the link, how would the browser "know" what the site you really intended to go to?

Dev Anand

On Fri, Feb 7, 2020 at 3:04 PM Johan Helsingius <julf@julf.com> wrote:

...

On 07-02-2020 19:49, Dev Anand Teelucksingh wrote:

...

Hmm....How would persons know what is the website they are viewing on without the URL?

How many users check out the website info in URLs anyway? How will they know that Mybankinfo.com is OK, but mybank.info isn't?

Shouldn't it be the job of the browser to check if the web site is the one you want to talk to (based on certificates)?

Julf

_______________________________________________ ttf mailing list ttf@atlarge-lists.icann.org https://mm.icann.org/mailman/listinfo/ttf

_______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.

_______________________________________________ ttf mailing list ttf@atlarge-lists.icann.org https://mm.icann.org/mailman/listinfo/ttf

_______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.